[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13984665#comment-13984665
 ] 

ASF subversion and git services commented on CLOUDSTACK-6533:
-------------------------------------------------------------

Commit b2b59ed83a566762c960371717b7998b4719ba70 in cloudstack's branch 
refs/heads/4.4-forward from [~minchen07]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=b2b59ed ]

CLOUDSTACK-6533: IAM - Templates - Public templates do not have
permissions to be used by ROOT group.


> IAM - Templates - Public templates do not have permissions to be used by ROOT 
> group.
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6533
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>         Environment: Build from 4.4
>            Reporter: Sangeetha Hariharan
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> IAM - Templates - Public templates do not have permissions to be used by ROOT 
> group.
> As regular user create a public template.
> In iam_policy_permission policy we do not have permission for Admin group.
> mysql>  select * from iam_policy_permission where scope_id = 206;
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action        | resource_type          | scope_id | 
> scope    | access_type | permission | recursive | removed | created           
>   |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | 4949 |         3 | listTemplates | VirtualMachineTemplate |      206 | 
> RESOURCE | UseEntry    | Allow      |         0 | NULL    | 2014-04-29 
> 11:03:52 |
> | 4950 |         1 | listTemplates | VirtualMachineTemplate |      206 | 
> RESOURCE | UseEntry    | Allow      |         0 | NULL    | 2014-04-29 
> 11:03:52 |
> mysql> select * from vm_template where id=206;
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> | id  | unique_name                                  | name                   
>     | uuid                                 | public | featured | type | hvm | 
> bits | url                             | format | created             | 
> removed | account_id | checksum | display_text                | 
> enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | 
> cross_zones | extractable | hypervisor_type | source_template_id | 
> template_tag | sort_key | size    | state  | update_count | updated | 
> dynamically_scalable |
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | 
> Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a |      1 |  
>       1 | USER |   1 |   64 | http://10.223.110.232:/test.vhd | VHD    | 
> 2014-04-29 11:03:52 | NULL    |        318 | NULL     | public and feature 
> Template |               0 |             0 |          12 |        1 |         
>   0 |           0 |           1 | Simulator       |               NULL | NULL 
>         |        0 | 5242880 | Active |            0 | NULL    |              
>       0 |
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> 1 row in set (0.00 sec)
> Inspite of not having the required permissions to use the template , admin is 
> able to use this template for vm deployment. Root cause for this bug is 
> similar to bug -  Bug   CLOUDSTACK-6517         
> The same behavior is also observed for default templates:
> mysql> select * from iam_policy_permission where scope_id = 111;
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action        | resource_type          | scope_id | 
> scope    | access_type | permission | recursive | removed | created           
>   |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | 3315 |         3 | listTemplates | VirtualMachineTemplate |      111 | 
> RESOURCE | UseEntry    | Allow      |         0 | NULL    | 2014-04-28 
> 10:30:11 |
> | 3316 |         1 | listTemplates | VirtualMachineTemplate |      111 | 
> RESOURCE | UseEntry    | Allow      |         0 | NULL    | 2014-04-28 
> 10:30:11 |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> 2 rows in set (0.00 sec)
> mysql> select * from vm_template where id=111;
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> | id  | unique_name      | name                                  | uuid       
>                           | public | featured | type    | hvm | bits | url    
>                                                                               
>                    | format | created             | removed | account_id | 
> checksum | display_text                          | enable_password | 
> enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | 
> extractable | hypervisor_type | source_template_id | template_tag | sort_key 
> | size       | state  | update_count | updated | dynamically_scalable |
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> | 111 | simulator-Centos | CentOS 5.3(64-bit) no GUI (Simulator) | 
> 7200e25a-ca4b-11e3-907f-4adf980f9414 |      1 |        1 | BUILTIN |   0 |   
> 64 | 
> http://nfs1.lab.vmops.com/templates/centos53-x86_64/latest/f59f18fb-ae94-4f97-afd2-f84755767aca.vhd.bz2
>  | VHD    | 2014-04-22 14:25:13 | NULL    |          1 |          | CentOS 
> 5.3(64-bit) no GUI (Simulator) |               0 |             0 |          
> 11 |        1 |           0 |           1 |           0 | Simulator       |   
>             NULL | NULL         |        0 | 2147483648 | Active |         
> NULL | NULL    |                    0 |
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> 1 row in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to